Learn Hardware Hacking!

John Hammond · Beginner ·🔐 Cybersecurity ·8mo ago

Key Takeaways

The video covers hardware hacking basics, including device debugging, UART shells, JTAG interface, and firmware extraction, with hands-on training and exercises using tools like UART, JTAG, and logic analyzers.

Full Transcript

Learn cyber security and focus technical training with just hacking.com, where all-star instructors and industry experts provide hands-on, affordable, and practical learning. Across courses, free upskill challenges, hackalong training videos, and capture the flag competitions. There's always something to hack. With new content twice a month, all throughout the year, plus bimonthly live streams, you can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at just hacking.com. Hello everybody. Welcome, welcome to the show. Welcome to another JHT just hacking training live stream. Uh in case you've been tracking, hey, you know, we've got a live stream out the door yesterday and the day before that, Monday, Tuesday, and now today, Wednesday. Look, we've been doing a little bit of uh Just Hacking Training live stream week. But I gotta be honest with you, it's because we are really doing our darnest to keep the hype train rolling for Bside Chicago and our live and inerson training. So we've been rolling we've been running out with Michall. We've been hanging out with a little bit of me doing some script based malware analysis. Michelle of course was covering Osent open source intelligence. Uh, but I did want to show you I did want to bring these back to your attention and I'll share my screen for just a quick moment and then we'll get to the real star of the show. We'll get to our guest today because Besides Chicago workshops, it's where this is all at. Uh, we'll have a couple links flying around in chat if folks are able to be there with us. We're stoked for this because it's live and in-person training. Really cool milestone. Honestly, just genuinely a goal of ours to be able to teach, to be able to train IRL in real life. And uh look, food's included. You've got meals all throughout the day. You get to spend a full day hanging out with some of us uh and learn a little bit of either malware analysis, some open source intelligence. But the real star of the show today, the feature segment is hardware hacking with Trevor. Trevor Stavado. super stoked to learn a little bit about that because I think that is just irreplaceable when it's physical real world with specific hardware and a hands-on kit. We'll get to talk about that in just a second, but you can't have that anywhere else really other than in person. Um, but we'll talk about a little bit more with that. Let me uh stop sharing my screen. Uh, unless I'm forgetting to say anything. I think I've got it all. I think I got it all. All right, we'll stop on my side and I will bring in Trevor if he's up for it, if he's willing to join the party here. Some live demos or at least we've got some of the cool video footage of him getting a chance to work with the kit and we'll talk all a little bit more about it. AMA of course too, just as well. Any questions in chat? Please do drop them in. So, all right, Trevor, are you with me? Are you good? Can I pull you in? I know I can't see you when you're backstage, but I do this hopefully just crossing my fingers. Three, two, one. >> I'm here. >> You're here. >> Excellent. Thank you so much, Trevor. Hey, thank you. Thank you. Thank you. You know, I can't say it enough. Making some time to be here, having a chance to hang out with us. I think you're busy these days. I think you got a lot going on and you're running around, right? >> I do have a few new things going on. Uh, but I am excited for the chance to be here with you and to chat about this course. Well, Trevor, would you mind filling in the gaps? Uh maybe some folks that aren't too familiar with who you are, what you've been up to, where you really got started in all this because I know you're doing some incredible stuff with hardware hacking and you've been doing that forever, but can you let us know how you got your start in it, what you've been doing, how how did this expertise become your passion here? >> Yeah, so I've been around security for a long time. um going back to I would say 2008 is when I first got my start into web app security and network security and that kind of stuff. Um and started my own consulting company back in 2016 doing web app and network stuff. And it wasn't until Defcon 26 where I really started to focus a little more on hardware. And that was just a kind of a pure random chance. Um, some friends and I sat down at uh at the IoT CTF and just played along in that CTF and actually ended up winning uh and winning a black badge from that that CTF. So, um, thank you. Thank you. Uh, that was a fun experience. Um, and really opened my eyes to, you know, the is the vulnerabilities in IoT devices and really got my curiosity going and wanted me to to get into it more. Um so I use that motivation uh the the group of us actually joined IoT Village and uh you know worked with them over the the following years developing the CTF and ended up um taking over a lot of the running of the CTF for a number of years and uh and then in the last couple years uh I created a new village at Defcon the embedded systems village and uh I've been running that. Um, I recently stepped away from my consulting company to do some some different things. This being one of the things that I'm doing. Um, also doing uh some some other non- tech stuff as my my friends tell me. It's uh I'm completing my cyber arc getting out of tech and doing some non- tech stuff now. >> Well, I think it's pretty awesome because you know that the skill set, the specialty, it all still carries to kind of whatever you're chasing, especially in that hardware hacking and embedded systems world. Uh, I'll be the first to admit though, I am not smart at all in hardware hacking. So, I might ask you to hold my hand for a lot of the concepts, for a lot of the stuff that you walk through. I got a whole lot to learn and I'm I'm looking forward to you schooling me here. >> Yeah, no worries. I'm I'm excited to to share with you as well. >> Can you tell me a little bit about what your workshop is all about? I don't know if there's any sort of outline or sort of bit of the curriculum because I think the plan is and I'm super thankful for this, right? Hey, once you've got this take-home kit that's included and available there for you for live and inerson training even after the fact, we do want to get this thing up online and on demand so you could still dive into it virtual on the just hacking training platform too, right? >> That's right. Yeah. I I think there's going to be no substitution for in-person training. there's always that's always going to be the the best way to learn hardware hacking, but we are going to try to to uh break this into a package that you can you can take and do on your own as well. Um, so to give you sort of the the outline of what we're looking at, the I think one of the most interesting things about hardware hacking is taking a unique blackbox device and using the tools and techniques available to you to really uh pull peel back the curtain and and really uh understand it at a sort of deeper layer. So, we're going to get into uh some of the functionality that that um manufacturers of these device rely on for their own debugging and how we can use those those methods to get additional access to the system to look at, you know, the code that's running. Uh potentially even hook debuggers onto stuff as we're testing it, right? Get a get a lot more visibility onto the target as we're testing it. Um so, we'll show some of the the methods that we use to do that. those being um UART shells for example and I'll I'll give a bit more talk about that in in my demo. Uh one of the other technologies is JTAG and so we'll show what that is and how that can be used to uh to get access to the device. And then we'll also look at um you know these are these are devices that have discrete memory chips and how do those memory chips work and how can we interact with those memory chips to pull the code off of them so that we can then again look at things at a bit more of a you know a white box approach and and view of things. Um and then once you get the data off of those chips what is the format of that data? What does that look like? And and we talk about that as being firmware on these devices. And so what is firmware? How do you look at it? How do you uh extract it back to something that makes a little bit more sense for us to analyze? And so those are the those are the key topics that we're going to be covering throughout the day. There's going to be a bunch of hands-on exercises that will go through the very basics of just, you know, getting the getting the connection and getting a UART console working. And then we'll we'll iterate on that a little bit. Okay, now that you have an UART shell, what do you do with it? How how can you use that to get more access and and more visibility into this device? >> Do you mind falling off the cliff for UART already? Could you fill in the gaps for me even? What is that acronym? U right? >> U it stands for universal asynchronous receiver transmitter and it's a really really old protocol. uh it's been around for quite a while but it's it's used quite commonly on uh IoT and embedded devices for either you know deviceto device communication but more commonly and what we're more interested in is it can be uh an output uh interface for a console so a lot of developers will output the the Linux console to the to a s a UART um interface and so it's a it's a two- wire interface. So there's a a separate transmit pin and a receive pin. Uh and then through those those two pins, you send data signals that can be interpreted and and rendered back to an actual console shell like as if you were sshed into this device, but doing it through hardware. >> I have to uh quell the non-believers in chat. I do see a couple folks like, "Oh, is this pre-recorded? Is it is this really live or is it not live?" No, we're we're live. We're always We're always doing it live, guys. >> But with that, I know you've got I don't know, do you have a copy of the board or maybe the circuit? Are you willing to show off? Yeah. >> Yeah. So, so this is a custom design board that I made for for specifically for this training. Um, and so this is just the prototype version of it, but you can see that there's a a main processor in the middle, uh, an SD card slot, a USBC um, interface, a couple buttons, and then all these these pin headers around the side. And so the purpose of these pin headers is to expose some of the functionality that we're going to play with in the course. So there are pin headers for the UART and where the UART uh, console is going to be output. There are pin headers for the JTAG interface. I think I'm pointing to the right ones. Um, and there's interfaces for uh the flash chip and reading the flash chip on one of its protocols. Um, and so we're going to go through in the course how to interact with these and um, and how to talk those protocols. The other piece that is essential for for working on this is uh, another interface device that I built. So this one if you're familiar with um something like the shikra which is an older tool that was developed uh few years ago for hardware interaction. There are a bunch of other versions uh of this similar device now. I know some um some other people are making different versions of it. This one is different from many of the ones that I've seen before in that it exposes all the headers. Normally there's a a single bank of headers that is sort of multipplexed for the different functionalities. I decided to break each header out separately so you have each functionality clearly labeled. Uh, and I'm going to do some color coding of the headers on these so that it's easy to to figure out which bank of headers here matches up to the bank of headers here because that's, you know, I've taught this course in various uh versions a few times and I've seen the the sort of pitfalls that that people struggle with and I'm trying to trying to solve that and make it easier so that it's not about the difficulties of the hardware. It's it's you know the difficulty is learning the content. That's that's what I wanted to be the challenging part is the content. I don't want you to be frustrated with dealing with the hardware. >> And I think that's a really cool point to highlight if I may is like these boards like these circuits, right? What you're working with were custom made, tailored, and built for this education, like for this training, right? Yeah. You made this. >> So, this this one this one is um a modified version of the shaker. The Shikra was an open source product and so using the the schematics for the Shikra uh it's modified it's using a different main chip. Uh the Shikra used um it was an FT232 is what they called it. It was a future devices technology future future technology devices international FTDI. Um it was one of their chips that is a USB to to serial uh converter. So it takes serial data and exposes that over a USB interface. So that that's the the main, you know, magic that happens on this board. This chip is an FT2232, which all that means is it's got two channels. It can do two different interactions with two different serial devices at the same time. It shows up as two different serial devices to your system. >> Neat. >> Yeah. Yeah. And and the two is is handy because you can do some interesting things now where I can monitor with a uh UART console and see what's happening on the shell and you know actually run commands at the same time as I'm doing a JTAG debugging session and seeing what's happening over JTAG. So that it gives you function the flexibility to do multiple things at once. Uh which is pretty cool for for hardware hacking. That's got to be very convenient, especially as you're like poking around and playing and exploring. Kind of doing it one at a time's got to be a little slow. >> Yeah. Or, you know, most computers don't have very many USB ports and uh so being able to do it over one port is is a bit of a help. >> Cool. >> The other fun thing that this this board allows us to do um is it can replace kind of a logic analyzer. has four uh signals or four pins that I can use to do logic analysis. And what I mean by that is I can uh connect it to a a program which will monitor the logic levels of each of these pins. So whether they're high or low and what that helps us do is sort of is discover which which pins on this board are actually communicating data because I can connect up these pins to those monitoring pins, run the sampling program and see which pins are transmitting data and and we'll do an example of that later to to sort of solidify that and drive that home. But the the cool thing is that eliminates the need for an additional device. Uh, we can do it all with this this one board. >> It's funny. I'm I'm teeing up your demo or I'm trying to, but I don't know enough as to like, oh, when is the fine segue? When is the right transition to get you to show it off live? Uh, is there more to dig into? I I love the fact that look, this is a take-home kit like, and you get to show up for the class, you get to be there for the live training, but then you do get to bring that home. And do folks need any more gear or anything else? uh are any other I don't know the logic analyzers or are there other hardware things that people even use for their own equipment to poke and explore with this beyond what might come in the class? >> So for the for this class and the exercises that we're doing, these are the only pieces of equipment that are needed. >> Um I will ask people to bring USB cables um because that's just not something we have a whole bunch of lying around. So if you can bring some USBC cables, I figure most people have those. bring some with you. Um that's all the other part that you'll need actually is these um and we'll provide these the the header wires that will connect between the two devices. >> So this will be you know your kit that you're going to get these two devices with the header wires. Um you need USB cables and that's everything you need to to do our uh workshop and our our lessons. Other stuff you might want to have if you're getting into hardware hacking, of course, is like um a multimeter. Multimeters are very useful for, you know, testing different functionality, different um you know, see if there's power applied to a certain area, see if there's a uh testing ground, testing continuity, and finding ground pins is very important. Um, these two boards can't really communicate to each other unless they're running at the same uh if they have a common ground. That allows us to measure the signals appropriately. We can see, you know, if they have a common ground, this voltage means a one versus, you know, not knowing whether that voltage is high or low. >> I took electrical engineering as my undergrad uh when I went to the Coastg Guard Academy for school, right? And I did not retain a darn thing, but voltage and resistance and watts and all those. So yeah, okay. I remember some of it here and there. I >> I have to admit that I did computer systems engineering. So I did a bit of electronics when I was in school, but I I forgot so much of it and had to relearn so much after getting back into hardware hacking. I did see some folks mention in the chat, you know, oh, they think of an Arduino or even I don't know what you could do with the Raspberry Pi and just getting a couple breadboards. Do you see those as not to say uh the gateway drug into hardware hacking, but is that some of the fun toys to let any any individual just jump in and play or is there more? Those are definitely the easy ones for for people to um acquire and get set up and and start um you know building test programs for because there's so much uh documentation and libraries and example stuff that's out there for those platforms that make it really easy to to use those and to start getting uh you know getting some experience to what does a logic what does that mean? What does logic level mean? Um and sort of seeing that in real in real time. Um, the other, you know, easy way that people can get into this is to buy a a cheap little camera off of eBay or or Amazon and rip it apart, see what's on the board. Um, you know, that's that's how we got into this when we started. Uh, I just started buying devices or finding devices at garage sales, thrift stores, whatever I could find, ripping them apart just to see what was inside and then try to understand what the internals were and how they worked. Couple more questions that I saw come through and then I'd love to see any of the stuff you're willing to do some showand tell for. Um it sounds like folks yep should probably have their laptops there uh with the training as well. Um if one were to get kind of the other equipment or any of those other toys on their own. Are those expensive or are those still approachable for hobbyist or really again what's the value from coming from this kit? >> Yeah. So, um, you can get the, you know, a shaker type device for it's not too expensive, um, to get something like that to get one that has a dual channel. I don't know very many that are available, uh, commercially. >> Um, but, you know, I would say it's a 20 to $50, you know, very inexpensive kind of component. Um this this target board that we're building is a little bit unique in that uh the the reason why I like to build custom boards is I have full control from bootloader to to full OS and I can I can create exercises that mimic real world devices and things that you would see in real world but I have full control over it and can can structure it in a way that makes sense. Whereas if I pull a device off the shelf, I'm restricted to whatever it's offering me in terms of vulnerabilities that I can demonstrate. Whereas this one, I can demonstrate, you know, a multitude of different vulnerabilities by changing configuration and changing the the software a little bit. >> That is super cool. So the next question that came from that though was like, oh, how do you do that? How do you make or get a custommade board? What is that whole process? >> Yeah, so I I can't claim to be an expert. Uh I do have some uh resources that I use for the PCB design part of it as um as well. I I contribute a lot to the the the brainstorm and figuring out what are the components we're going to use because that's the the big thing is is picking your processor, picking your your memory chips and u how this is all going to interact. if the the processor is going to have a a big impact on what interfaces are available. Different processors will expose different interfaces just that's how they've been created. Um and so working with my my designer uh we chose this this board is actually running on a allwinner T113 um chip which is a a full what we call system on chip. So it's a processor. It's got the built-in memory uh inside the chip as well, the built-in RAM inside the chip uh which makes the design a little bit simpler because we don't have to have external RAM. Dealing with external RAM from from a processor is challenging from a design because there's a lot of uh you know the speed of which the data travels on that makes the design of that PCB much more difficult. So choosing uh a processor with onboard RAM simplified the design and then my designer does the layout of where everything's going to be on the board. You know, picking all the passive components, all the resistors, capacitors, and every other pieces that are needed to make this actually electrically function. And then I do the the full uh OS from the firmware to the operating system. I do the the build and design and development of that. >> That's super cool. Is it like hardcore low-level assembly or C or how does that >> No, no, thank thank God because I would cry. U no, it's it's it's very similar to u you know creating your own Linux kernel. Um and you know building a fresh kernel, building a fresh Linux operating system. Um you there's there's a lot of resources out there that are uh very helpful for for doing this. um and and projects like Uboot. Uboot is one of the standard bootloadaders. Um and it's very well supported, very well documented. And so building Uboot for this chip was actually quite simple. Um and then building a Linux kernel that supported this chip and a and an operating system that would run on top of it was also, you know, not astronomically hard. It's it's this typical uh Linux development stuff that you would do on a regular system, just a little bit different because you're you're running on a very specific processor, not on an Intel or or AMD. >> I was just googling off of the side to see you boot um and years ago when I was poking or playing with uh building a kernel or sort of thing, I I think it was like osdev.org or was one of those resources and they have a big wiki that looked like it had a lot of uh operating system development guides and resources and tutorials. I don't know if that was one that you saw or think of or is good, but that's what I tried to pull off to the side of the head. >> Right. Right. >> Cool. >> Yeah, I'm not familiar with that one specifically. Um but uh you know these days Google is sometimes replaced by AI. So AI is uh quite good at at pointing me to resources and and figuring out where I need to look to learn the those little tricks. But uh yeah >> well I think we gave you hopefully some good padding to get the conversation going. But what do you think? Are there any fireworks? Any showand tell? Any demos you're willing to do? >> Yeah. So, I I do have and I know this is this is uh you know the the bad word, the pre-recorded word. I have a pre-recorded video just showing uh me interacting with these boards because I holding these up in front of the camera connecting wires to them is not going to be a good demo. So, I pre-recorded that just so that uh you can see that a little bit easier. And then I'll have another demo showing me actually interacting or tracing the signals on this device and sort of giving you a bit more information about logic signals and what we're looking for when we have when we're looking at that. >> Sweet. >> So >> I know that one is a little bit Oh, absolutely live kind of thing, right? You >> that one is absolutely live. >> Sorry. So we'll still pray to the demo gods. I know it is live. Everybody freaking out in chat. Okay, here's my video. So, I'm going to talk along this as uh as it goes up here. So, this is the as I was showing before. That's our target board. And this is the prototype. It's going to look a little bit differently when it's uh the final version. And then this is my chakra type device that uh we're going to use to analyze it. Um the first step in and these are the the header wires that we're going to use to to bridge them. The first step in a lot of this is understanding where the common ground is. Um so that we can connect these devices at a common ground so that when we're looking at logic levels it they're consistent. So right now I put my multimeter into what we call continuity mode. Uh and if the sound was on you would hear a large a beep when the two pins were connected. But you can also see on the display right now it says open line which means there's there's no connection between them. But now on that pin you can see the the resistance dropped to pretty much zero which shows that there is no resistance between that pin and what I'm touching on the other side is the USB shielding which is grounded part of the board. So by doing that I was able to find the three pins on that side of the board that are all connected to the ground. Now using the the pins on the shaker device that are connected for logic analysis, I can connect the target pins that I want to interrogate and see what what is happening on those pins to the those logic pins on my shaker type device. So I've picked this one header in the middle. I picked it because I know that's the one that's transmitting. But uh in the real world, you would probably pick, you know, do this a few times until you find the header or the the set of pins that has the information that you're looking for. So, I make sure that I connect ground to ground so that they're common ground between the two boards. And then I connected the other two signals, signal pins just to what we call 81, 80 and 81 on the shaker device. And I'll show that when I get into the logic analyzer. The next step is just connecting the two um two boards to my computer uh so that they're powered up and I can start to interact with them. So you can see that my sugar device is now powered up and working and in a second the other device should power up here. There you go. You can see the power light coming on. So that's the the physical connection side of it. Um so that's how you would wire things up. You would that's how you would find the ground pins and wire things up to do some interrogation. Now I'm going to show you how we're going to use the the device to do some actual interrogation and capture some signals. Any any questions before I get into that? >> I don't think so. Not from me. Anyway, I'll keep keeping an eye on chat. I played in a capture the flag, right? So, normally we go to a conference and they have a CTF. This was a hack the hackers or um teaching hackers and all I think in Ohio, but it was the badge challenge, right? The hardware hacking CTF challenge was the one that I don't know how to do. So, I was relying on teammates and other folks that were there like, "Oh, we'll just need to plug it in with the USBC and then we could see what data is available." Uh, which I never knew the comm interfaced baud rate stuff, but maybe uh curious how this translates. >> Yes, that that is exactly what we're going to be getting into. Uh, and so if my thing actually opens here, this is the the demo gods coming to come into play right now. But, um, we're going to get in we're going to talk about baud rate and, uh, what that means in for these signals. Why is this not working? >> Yeah, remember I've seen this VM be a little bit finicky with us. Mhm. >> Is that uh trying to run pulse view? Just that icon there. Yeah. Yeah. >> Yeah. Let me let me give this VM a quick reboot and we'll see what that does to it. >> And you might have already covered this, so forgive me if I keep asking dumb questions, but it pulse view is one of those analyzers, right? Logic to kind of be able to see what's happened where and when. >> Yeah. the so the one thing I I forgot to mention when we were talking about you know the other required devices that you you could use. So this has the cap capability to do logic analysis on four channels which is okay. Um but there are much better devices. One of the best out there is from a manufacturer called SY and uh they make devices that you can test u I think 16 or more channels at a single time and at much faster sample rates than what this can test at. Um, and so those ones can run in the hundreds of dollars kind of range for for price. But if you're getting serious into hardware hacking, those are um a good tool. And the software that that works with them, it's called Logic 2. It's a proprietary software from Saley, is a very well-made and and very polished piece of software, especially compared to Pulse View. But Pulse View is is still very capable. um and functional application and it works with the the chip that I have on this device. So that's why I'm trying to use it here. Well, if we need to, we could uh dance around and uh hey, still talk through what what Pulse View might be able to showcase if it just doesn't want to play nice. But I know VM wrestling is something of its own. Okay, there we go. >> Cool. >> And I hate to be the one to ask, but is there a way to improve font or Yeah. make it a little bit bigger and easier to see for folks? >> Yes. Let me see what I can do about that. >> I know. Display resolution and all. Yeah. is >> when we start to hear the computer fan kick in terrible. Even worse. All right. Um I try scaling things. See what that looks better for. I'll see you. So, the one thing I I'm going to do is just I'm going to restart my reconnect my devices. Um because Pulse View can be a little finicky about starting with the um without the device connected and finding it. So, I'm just going to connect my devices to the VM here. Okay. So, I should have Yeah. Is that a little bit better for folks? >> I think so. We'll wait for chat to tune in, but all looks good to me. I can see that one clearly. Thank you. >> Yep. No problem. Okay. So, uh we can see that uh it's autodetected my FTDI chip. Um, so it's using the correct driver to read the samples. The next thing I want to do is I'm going to change the sample rate. U the default one, it starts off as 3.6 kHz, which is way too slow. What that means is how quick it's going to sample the data lines um and determine whether that voltage is high or low. The more often we sample, the better we'll detect a change from high to low. If we're sampling too slow, then we might miss when that that change happens, and that could throw off the timing that we're looking at and make the signal really hard to to understand. So, I'm going to pick 5 megahertz, um, which is, uh, you know, decent sample rate. And then I'm going to pick 50 million samples, which is going to sample for about 10 seconds. Um, you can sample for longer, uh, but this is the the period that I'm going to going to do. So now I'm just going to restart my run here. I heard lots of device disconnections in the background. So I feel like yeah, everything just disconnected again. >> Are you always working inside of a virtual machine when you play with these? I figure sometimes that might just kind of get in the way, right? Yeah, I mean my daily driver is a Windows machine for better or for worse. Um, and a lot of this stuff is much more convenient on the Linux system. Um, so then I tend to tend to work in a VM a lot. So let me see what I can do about this here. I'll keep bantering while you're getting a chance to to troubleshoot and play. I do see some comments in chat. Uh, hey, which Linux distribution is good? Whether that's Kali Linux or Rubuntu, look, in all reality, you're just kind of just going for whatever you find most comfortable, most easy to work in, most easy to set up. Uh really just what's convenient for you. Uh I like to run Cali because I like having those tools pre-installed, but Ubuntu really is going to work just fine. >> Couple other questions I saw that were flying by. Some thing were some asking, "Oh, is this course available online?" Soon soon. And I'm grateful for Trevor being willing to help on that front. Anyway, sorry. Did we have a bit more progress? How's that? >> I think we do. So, um, when I run, you can see that it is sampling the data. And right now, my device isn't turned on, so there's no activity that's going across any of these lines. So, I'll stop it and I'll do a fresh run, but this time I'll connect my device carefully. Let's try not to disturb anything. And voila, we start to see some data coming across the wire. Um, so this is a good indication that this line here, the one that's labeled AD bus zero, uh, has data coming across it. Um, so we can trace that back. AD bus zero is the second pin. If we look back at my video, I think it was the, uh, the sort of greenish colored one that I had connected. So that pin on the on my target board, the the all winner board that I talked about, that is the one that is transmitting some kind of data. And we don't really know at this point what that data is. We just know that it's transmitting data. Um, so we can zoom in. You can see here is a a waveform that we're seeing of bunch of different ones and zeros. And we don't really fully understand what it is. But what I want to try to determine right now is is this uh a UART um signal that we're getting. So is this potentially uh a console that's being broadcast over UART? In order to test that, the first thing I need to know is what is the data rate that the data is being sent? And that's what we talked about as baud rate. So u baud rate is the is defined as the rate that symbols change over time. uh the symbols being one or zero. So how quickly does does the one or zero happen uh when it's being sent across the line? So in order to figure that out, we need to kind of do some measurements and see. So if I look over this this trace of uh a waveform, I can see there's some here that look to be pretty skinny little pulses that I'm going to make an assumption that they're probably a single bit. uh whereas these ones that are longer are maybe double or triple bits high. So what I want to know is what is the width of a single bit. I'm going to add some cursors onto my uh display here and I'm going to try to measure the width of that pulse there. And then if I zoom in oh I made a mistake here. Let me let me back up a sec. My sample rate was back down to 3.6. six. Let me back into 50 million samples at 5 MHz and run this again. >> And can I ask what was kind of the clue that you were thinking? Oh, actually, hang on. I need to walk backwards for a sec. How did you kind of diagnose that if I may ask? >> Sorry, I think I don't know if my internet's flaking out, but your your audio was a little bit flaky there for a second. >> Oh, bummer. Okay. Uh was curious how you uncovered you were walking it back. >> Yeah. So that's just just from my own trial and error previously. Um the because I was like I mentioned before the sample rate if it's too low then I'm not going to detect when that bit change happens accurately. And so the the width of those bits is not going to be right. And so in the previous capture that I had I I saw the value as being 1,00 MSA which stands for um mill sampling units and that width was much too large for the data rate that I know this is coming at. And that's just because it's not sampling um fast enough to accurately capture the the the pulses when they're changing. So now that I'm sampling at five meghertz, I know that my resolution when I'm sampling is going to be much better. So I can be more those widths are then now much more reliable. So if I do the same thing and I zoom in and I pick out what are the smallest bits here and then I try to sample these guys and I put them here and here. And then if I zoom in, you can see my my rate here that's being advertised at the top. It says 116.279 kilhertz. That matches pretty closely uh with uh one of the standard baud rates, which is 115200. So that's a pretty good indicator for me uh that this this data rate is going to be at 115200. Um, the other thing I guess that I should mention as well is I don't see any other signals in the trace that look like a defined clock signal, something that's very consistently pulsing. Um, so if there's no defined clock on this, it's likely that it's using a defined data rate like a baud rate in order to determine how quick this data is being sent. The other side E that's receiving this data either needs a clock in order to sample correctly or it needs to know that data rate because we don't have a clock. We're we're making the assumption that there's a shared data rate and that shared data rate is 115200 which is a pretty common standard baud rate for a lot of these devices. So things are lining up and making sense as we're seeing them. Now I'm going to add a protocol analyzer. And so what that's going to do is add a line here that uh will try to try to decode that protocol, the UR protocol as it sees it coming across. So I need to configure it and tell it that the transmit line, the line that is the data is coming across is 80 bus bus one. My baud rate is set to 115200 because we measured and we figured it's it's that. The other settings here are pretty standard for um serial connections on these types of devices. It's what we call eight and one. So eight data bits, no par bit, one stop bit. The UART protocol has some flexibility in these. You could have more data bits than that, less data bits than that. You could have a par bit, you can have up to two stop bits. So there's there's flexibility in the protocol for how these things are defined. But the standard that is commonly used is what we call 8N and one. So eight data bits, no par bit, one stop bit. And so knowing that the protocol analyzer can now start to decode the data. And you can see that it started to uh decode a bunch of this stuff here. But this doesn't really it's not really showing us much other than it's decoding a start bit, some data coming across, stop bit, another start bit. So we're it's decoding the data and we're getting, you know, the the data coming across, but it's hard to look at it in this view. So I'm going to open up the binary view and I'm going to show the TX dump. So what's coming across the TX pin? And now this starts to look a lot more interesting and makes a lot more sense. So we can see and I'll see if I can expand this window a little bit. No, maybe not. Nope. But we can start to see messages here on the side that are actual English messages like Uboot and DRAM trying to boot from blah blah blah. And so we can see this is the uh the device console that we were getting a view of now. And so that's really cool. we found a device console that you know we're seeing the the boot up of this device. The next step would be to try to interact with that console and see if we can get a shell from this console and start interacting with it that way. And that's one of the things we're going to talk teach in the course is how do you how do you get that access? How do you interact with it? And then what can you do once uh once you have that? >> That is very cool. I had, you know, again, it's just even having the visibility, even being able to see what data is going back and forth on that device is is pretty neat. Yeah. But then taking it even further to interact and do stuff with it, I guess that's the next step. >> And that's what I'm excited to show people at the at the Chicago training. >> Thanks so much. I'm pretty stoked. It's going to be very, very cool to get some folks together, do this in person, IRL, with a take-home kit, doing some hardware hacking. Looking forward to it. >> Yeah, me too. >> There were a couple questions that came through if that's all right. If you don't mind me peppering those in. I know we they say, "Hey, maybe you already mentioned it, but trying to understand again, what is that hardware that you're using?" I know. I don't know. Don't mean to sound like a broken record, but I do know folks tune into the live stream here and then sometimes some before and after others. They say, "I have an old National Instruments my DAC, my DAQ. Would that work with pulse view? I don't know if that's something you know off the top of your head. >> Off the top of my head, I don't know. I'm assuming that's uh like a um scope um which is pro which is a more advanced logic analyzer much more capable but uh I don't have experience on that and whether it works with pulse view. Another one that came through. Uh, is there a whole another world to this when you're talking about Bluetooth like BLE or or Bluetooth hacking? Uh, is that the same sort of setup or an entirely different ballgame? >> That that's a very different ballgame. But um I I think one of the neat things about working on on hardware is is even if you have a device that is a Bluetooth device and Bluetooth capable, there are still going to be hardware aspects of that. There's a chip that is that is responsible for that. And that chip has different debug interfaces that you can interact with. So even if you don't have the Bluetooth hardware to interact with the device over Bluetooth, you may be able to attack it at the hardware layer and get access to the chip and what it's sending and receiving and attack it from that perspective. And the the fundamentals and the the concepts we're going to teach in the course translate to any other type of chip that you're going to look at. I had uh slightly included some of the the Bluetooth mentioned because I I think you've been chipping away at oh maybe a little bit of an upskill challenge some of the free material education and training that we'll have out on JHT for Bluetooth hacking. Is that right? >> That's right. So that comes from uh I' I've taught this course uh a few different places in different versions as well. those being Black Hat and Defcon uh which were longer courses that had more material than what we're going to cover in just the one-day course. And that included uh some Bluetooth low energy hacking and and interrogation. So, uh I'm going to repurpose some of that content as a um uh upscale challenge. I couldn't remember the word of it, but yeah, that that is coming uh at some point once my my schedule and life calms down a little bit. No, I know we're all busy all October cyber security awareness month, but thank you. I am grateful and so excited uh to have some folks dive into some of that the Bluetooth end of things. But other questions that have been coming through are hey maybe sort of general maybe just understanding look how much electronics info or knowledge is really necessary in this space? How much does this really translate to a potential career? Is there a whole lot of job opportunities with hardware hacking or uh is it hey just kind of a fun hobby that could still translate well with skills? I don't know. Could you run with those? >> Yeah. Um so electronics knowledge necessary? It definitely you know it helps to have some basic understanding of of what a voltage means. Um and uh but but in terms of like pure electronics and resistors and capacitors and understanding all that, it's not as necessary for at least the basic stuff. When you get into the more advanced topics like glitching a board and applying different power and trying to inject faults into it, that knowledge then starts to become really much more critical because you need to understand how power is going to be absorbed and just dissipated throughout the circuit and and what you need to do to to affect that. But in terms of the the basics for interacting with debug capabilities just you know very simple high level understanding of you know voltage of three volts or 3.3 volts means it's a high signal versus you know zero volts means a low signal or you know those kinds of things and um and we're going to we'll talk about a little bit of that in the course but you know how how logic is determined um and uh but once you once you translate to that sort of ones and zeros layer the electrical side of it kind of gets abstracted out. And then in terms of uh career and and where you can take this uh I mean my previous company that I worked with uh really kind of after Defcon and Defcon 26 and and getting into hardware we took a a pretty hard focus into hardware hacking and there was a lot of opportunity that we had with different law enforcement and intelligence agencies that are looking at devices and trying to understand how to secure their devices and potentially how to attack other devices. Um and so that was you know a a large part of my career for a number of years was teaching those people, helping those people. Um and so there is there is a good um segment of the market that is around both defending and attacking these devices. I think you just at the end of the day build out this mastery and and expertise that like look you're the go-to expert and that is something that is its own consulting like echelon where look yeah folks that might be doing anything with any of the devices or embedded systems and all the tech that exists and is part of our world uh look if you kind of know the ins and outs of it that's still extremely valuable. So, >> yeah, >> for sure. >> Well, I see a couple other questions that were coming in and I'm grateful for some that probably tee up some of the just hacking training stuff that we're up to. Hey, someone asking for affordable courses or or free training material, name your price things to get up to speed on uh hacking, defense, and offense. Look, you got constructing defense, you've got sock analyst 101, instant response 101, attacking or securing active directory. Tons of stuff over on just hacking.com. But anything more we could dive into for you Trevor and all that you're up to? Uh anything more on the road map on the horizon? Anything else that we kind of forgot to mention or discuss with your awesome hardware hacking setup here? >> So we did talk about that there is going to be an online version of this coming at some point in the future. So, so this kit will be available for for purchase along with the, you know, the exercises and the workshops. Um, and I think that this kit gives us the opportunity to continually iterate and build more and more challenges around it because we have the full we we own the build chain for this. So we can build additional challenges and and release kind of that stuff over time as as time goes on and make this thing the you know continually evolving learning challenge system. >> That is so cool and thank you. That is I hardware hacking is a whole new world for me. Like I know nothing about it. But I'm glad there is this that accessible and easily extensible way to be able to play and practice and even on demand even across the internet airwaves. Uh, while there's a ton of value, I know making it there in person, being at Bside Chicago the end of the month for that live in-person training, it's still super cool. But, you know, if you can't make it, if you're not local, you're not in the area, well, there'll still be some opportunities super duper soon. So, >> yeah. >> Any last questions in chat? Anything else that I see coming out? Do you need an experience? Any experience necessary for this besides class? So, I would say some basic Linux being familiar with the command line because we're going to be doing some stuff in the command line. Um, so knowing you know that that a USB device shows up under the slashdev tree, right? Some stuff like that. Um, but really not a lot of experience directly in hardware at the very least. You know, the the goal of this is to take people that have never had experience in hardware and give them the familiarity and the the comfort. If you have experience with hardware, uh I, you know, I'm trying to build in layers to these ch these challenges so that once you complete the basic building blocks, there'll be additional stuff you can try to do and and challenge yourself on. So, um you know, there should be content for people that have h that have some experience in it as well. But uh no, if anybody that's that never touched hardware but has you know decent understanding of hacking concepts in general and you know basic Linux, this is the course for you. >> Sweet. Oh, so awesome. So so cool. Thank you so much, Trevor. Uh look, I know we're the last couple moments, so I will uh wind this thing down. But for all of you that tuned in and were hanging out with us, seriously, you know, I I'm beating the drum. I'm screaming and shouting. I'm banging on the door. I'm doing all the best that I can to let folks know about these Bside Chicago live training workshop that we're stoked about. Um, of course, you'll be hanging out with me. You'll be hanging out with Michelle Khan. You'll be hanging out with Trevor there in person, meals included, live training, hands-on to be able to work with the experts, troubleshoot and debug in the moment, get that real-time feedback. So stoked for this. We'll be sharing the links around in chat again. Uh there is a 10% discount if folks are jumping into the party and the end of the month October 31st workshop day at Bides Chicago. So so cool for the opportunity to bring some just hacking friends just hacking training of the cohort all-star instructors and then be able to bring that even more in the online and on demand virtual setup. But thank you for letting me talk shop. Thank you for letting me do another hype train extra commotion for our Just Hacking Training live stream week. But this has been a ton of fun. So, thank you. Thank you. Thank you, Trevor. >> Thank you as well. I appreciate the opportunity. >> I'll play the sizzle reel and tune us all out, but that was a great stream. It was great to spend some time with you all. >> Thanks. All right. Goodbye all. Have a happy Wednesday. Learn cyber security and focus technical training with just hacking.com where allstar instructors and industry experts provide hands-on, affordable, and practical learning across courses, free upskill challenges, hackalong training videos, and capture the flag competitions. There's always something to hack. With new content twice a month all throughout the year, plus bimonthly live streams, you can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at just hacking.com.

Original Description

Just Hacking Training livestream with Trevor Stevado, Wednesday October 15th at 9am Pacific / 12pm Eastern.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches the basics of hardware hacking, including device debugging, UART shells, JTAG interface, and firmware extraction, with hands-on training and exercises using various tools.

Key Takeaways
  1. Get access to a blackbox device
  2. Use tools and techniques to pull back the curtain and understand the device at a deeper layer
  3. Use manufacturer-level debugging methods to get additional access to the system
  4. Hook debuggers onto the target as we're testing it
  5. Get a UART console working
  6. Use UART to get more access and visibility into a device
  7. Interact with discrete memory chips to pull code off of them
  8. Extract firmware from memory chips
💡 Hardware hacking involves buying devices, ripping them apart, and understanding their internals, and can be done with basic electronics knowledge, but advanced topics require more in-depth knowledge.

Related AI Lessons

Up next
Is Python Dead in 2026?| Truth About Python in AI Era | 90 Days Roadmap @FameWorldEducationalHub
FAME WORLD EDUCATIONAL HUB
Watch →